c5e119bd46f37edd0ddf9a821c55c3422c35f082128e49fc5592327ea190d1cf

General

Target

SinapsWare by Spyro.exe
Size

1.9MB
MD5

2cc396ff85b7196f577f0f3b8c9d42f8
SHA1

a780368de8dbe0b890a0ae6f0d286233fa13c13e
SHA256

c5e119bd46f37edd0ddf9a821c55c3422c35f082128e49fc5592327ea190d1cf
SHA512

7e307df81c0a76e5365107ac3fb4885f5494bf89b7f2bd76ab5937ea1c441615b0ec73b531884c9145e30dddddbe382170478e545cee60e1315671a6452da345

Score

9^/10

bootkit discovery evasion persistence spyware stealer trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SinapsWare by Spyro.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	SinapsWare by Spyro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	SinapsWare by Spyro.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

SinapsWare by Spyro.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Wine SinapsWare by Spyro.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

SinapsWare by Spyro.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA SinapsWare by Spyro.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

SinapsWare by Spyro.exe

description ioc process

File opened for modification \??\PhysicalDrive0 SinapsWare by Spyro.exe
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

SinapsWare by Spyro.exe

pid process

2728 SinapsWare by Spyro.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

SinapsWare by Spyro.exe

pid process

2728 SinapsWare by Spyro.exe
2728 SinapsWare by Spyro.exe
2728 SinapsWare by Spyro.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SinapsWare by Spyro.exe

description pid process

Token: SeDebugPrivilege 2728 SinapsWare by Spyro.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Wine	SinapsWare by Spyro.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	SinapsWare by Spyro.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	SinapsWare by Spyro.exe

pid	process
2728	SinapsWare by Spyro.exe

pid	process
2728	SinapsWare by Spyro.exe
2728	SinapsWare by Spyro.exe
2728	SinapsWare by Spyro.exe

description	pid	process
Token: SeDebugPrivilege	2728	SinapsWare by Spyro.exe

C:\Users\Admin\AppData\Local\Temp\SinapsWare by Spyro.exe
"C:\Users\Admin\AppData\Local\Temp\SinapsWare by Spyro.exe"
1⤵
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2728

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Credentials in Files

2

T1081

Discovery

Query Registry

4

T1012

System Information Discovery

2

T1082

Virtualization/Sandbox Evasion

2

T1497

Lateral Movement

Collection

Data from Local System

2

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2728-115-0x0000000077C10000-0x0000000077D9E000-memory.dmp

Filesize
1.6MB

Download
memory/2728-116-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/2728-118-0x0000000005CA0000-0x0000000005CA1000-memory.dmp

Filesize
4KB

Download
memory/2728-119-0x00000000038E0000-0x00000000038E1000-memory.dmp

Filesize
4KB

Download
memory/2728-120-0x00000000062C0000-0x00000000062C1000-memory.dmp

Filesize
4KB

Download
memory/2728-121-0x0000000005B50000-0x0000000005B51000-memory.dmp

Filesize
4KB

Download
memory/2728-122-0x0000000005CB0000-0x0000000005CB1000-memory.dmp

Filesize
4KB

Download
memory/2728-123-0x0000000005BB0000-0x0000000005BB1000-memory.dmp

Filesize
4KB

Download
memory/2728-124-0x0000000005C20000-0x0000000005C21000-memory.dmp

Filesize
4KB

Download
memory/2728-125-0x0000000006130000-0x0000000006131000-memory.dmp

Filesize
4KB

Download
memory/2728-126-0x0000000006ED0000-0x0000000006ED1000-memory.dmp

Filesize
4KB

Download
memory/2728-127-0x0000000006AA0000-0x0000000006AA1000-memory.dmp

Filesize
4KB

Download
memory/2728-128-0x0000000006BC0000-0x0000000006BC1000-memory.dmp

Filesize
4KB

Download
memory/2728-129-0x0000000006D60000-0x0000000006D61000-memory.dmp

Filesize
4KB

Download
memory/2728-130-0x0000000007850000-0x0000000007851000-memory.dmp

Filesize
4KB

Download
memory/2728-131-0x0000000007F50000-0x0000000007F51000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing